Quick contact

Subscribe for updates

Cyber Essentials and Application Vulnerabilities

Building on Cyber Essentials

For most business, it can be hard to know where to begin with IT security. Most of us return to the old favourites:

a robust firewall

some antivirus scanning

policies that steer people towards secure use

But how much is enough? What does fundamentally good security look like? And, as the threat landscape changes fast, how should patching application vulnerabilities factor into your day-to-day defence?

The Cyber Essentials scheme, developed by the UK government and industry, sets out a range of clear controls to protect against the most common cyber attacks. There are two levels to the scheme – Cyber Essentials, involving a self-completion questionnaire, and Cyber Essentials Plus which includes an on-premise assessment.

As you’d expect, application vulnerabilities play an increasingly significant role in the framework that these assessments follow.

What is the Cyber Essentials scheme?

Cyber Essentials is a framework that’s really two things at once.

For companies that supply the public sector, it’s a list of minimum security obligations they need to comply with. For everyone else, it’s an opportunity to check and self-assess your baseline security and get certified to build customer confidence.

The framework covers five key areas:

Boundary firewalls and internet gateways to keep data safe as it comes into and out of your network

Secure configuration that reduces your exposure

Access control that determines who can access what, and how

Malware protection that protects against viruses, spyware, and worms

Patch management that closes the vulnerabilities in your software

Of course, these are areas that most IT teams already prioritise. But while you’re probably already patching out of date software, it’s your approach and methodology that could be letting you down.

Are you patching beyond the baseline?

In the Cyber Essentials framework, the government suggests you apply all patches within 30 days and, for security patches, within a window of 14 days. Even those example timelines could be hard to keep up with if you’re manually finding applications and installing the appropriate updates.

Worse, the guidance misses a few key practical issues.

First, it makes the assumption that you know every third-party application that’s installed on your network. If you’re running services across multiple locations, with growing use of Bring Your Own Device (BYOD), there’s a good chance your visibility is less than perfect.

What’s more, it’s a simplification to think that all security patches are equally critical. In fact, the nature of an application vulnerabilities varies hugely – from minor weaknesses with no real exploit to serious issues that could offer an attacker complete access to your core systems. There’s a need to prioritise on a more granular level if you’re going to protect against the most serious vulnerabilities first.

In addition, end-of-life and non-supported software should ideally be removed from the network entirely – or at least from any devices that can connect to the internet. In a world where businesses are built around legacy software, it can be hard to keep up with an ever-changing landscape.

The baseline within the Cyber Essentials framework is a good starting point, but the most effective remediation goes further. Unfortunately, manually patching makes that incredibly difficult to achieve.

Automating your patch management

The truth is that manually patching doesn’t give you the comprehensive visibility you need to find every application, or the insight and intelligence you need to prioritise your response. It takes automated application discovery, real-time threat intelligence, and highly automated patching to really secure your infrastructure.

So you can meet the expectations of Cyber Essentials – and go beyond them to achieve security you can depend on.

The Latest from Alpha Gen:

We live in an imperfect world. It’s a place where cyber criminals target unsuspecting businesses to steal data, disrupt services and even extort money. A place where your technology is always under attack and risk is ever-present. Why, then, would anyone expect cyber security to be perfect? Read more...

Recent Articles:

The fundamentals of successful least privilege adoption

Avoid the common pitfalls that get in the way of Least Privilege Adoption with Thycotic’s latest eBook. You’ll get a complete guide to what constitutes best practice and where even the best-intentioned programmes fall apart. Now is the time to make your least privilege implementation a success.

Alpha Generation Distribution Grows Its Vendor Portfolio with Lepide

Alpha Generation Distribution Announces New Partnership with CoSoSys

In a climate of rising compliance and hard-to-manage endpoints, Alpha Generation partners with CoSoSys to bring robust endpoint protection to the UK market.. An established leader in the space, CoSoSys provides Endpoint Protector [...]